Posted
by
Zonk
on Monday December 10, 2007 @03:42AM
from the think-before-you-send-is-a-great-adage dept.

TwistedOne151 writes "Law.com has an article outlining how the casual attitude of many employees toward work e-mails has resulted in some thorny problems for corporate in-house counsel. 'It has now become routine even in civil investigations for computers to be subpoenaed so lawyers can look at e-mails and hard drives. And one thing always leads to another. "We have forensic software that shows multiple levels of deletions. It shows thought processes. We can learn far more than from just a document alone," said [Scott] Sorrels. "E-mails have taken over the world."'"

I'm surprised all the people that use webmail, even compsci students at my college. I think people would not be so swift to abandon it if they used an email client program. Emails in thunderbird are much quicker then using the mess that is facebook. It'll never rival IM but it's pretty darn close.

A maffia boss in Italy was caught in 2006, he used small paper notes with (sloppily) encrypted messages [theregister.co.uk] on it to send out orders. Apparently it worked for a long time, and would still have worked if he had used better encryption.

THe one thing that can never really be dealt with in terms of keeping email private is the fact that no matter how much you encrypt, use tor etc. youcan't escape the fact the person at the other end can always make a backup copy. The lesson here? If you really don't want something to get out into the world in one way or another DONT SEND IT.

Never email what you can say over the phoneNever say over the phone what you can say in person

The preferred mode of communication in the modern world is E-mail, the two modes of communication you suggested are actually considered rude these days. I fully understand people's right to have a paper or E-mail trail to cover their ass, but it still gives me a kick to break the unwritten rule that all communication must be by E-mail'. People get so deliciously annoyed because they know they can't go and justify their objections to direct contact, to their bosses, without admitting that most of their insi

I fully understand people's right to have a paper or E-mail trail to cover their ass, but it still gives me a kick to break the unwritten rule that all communication must be by E-mail'.

Email has the advantage over paper of being time stamped and easily searchable.

People get so deliciously annoyed because they know they can't go and justify their objections to direct contact, to their bosses, without admitting that most of their insistence on E-mail only communication is mostly just an excuse to make it

I do configuration management. For years (and possibly decades before I ever came on the scene) it was pretty routine for code to be written, 'tested', and put in production with no paper trail of any sort. We would constantly be pounded on by various business groups for broken code making it to production and the defense of "Well, you told us it passed your test and was OK for production" was worthless because they'd simply deny it.Maybe you're just lucky and haven't worked in a business environment wher

...every time I have tried to use email to justify something the other party said "and you know how easily email can be faked don't you?"

Usually, an enterprise messaging system with integrated digital signatures solves that issue. I *hate* Lotus Notes with an unbridled passion. However, one of the very few things I like about it is how easy it is to have digitally signed messages (and verifying signatures). Where I'm at (a global security group), we mandate that any "official" emails are digitally signed.

Storing voicemails? No thanks. Approvals here are almost entirely email-based, with multiple signatories. If not, a voice vote is counted on the record by a project manager and all parties are sent copies of the minutes from that meeting. CYA city.

shut the hell up! I always find it weird that people talk so much about the things they aren't supposed to be doing. Yes, you have to be on the same page. But if you and I already know we're doing that thing at that place next week or so, do we need to explicitly say that in a conversation right now?

I've never been involved in crime per se, but I've done stuff I didn't want broadcast (to my parents, employer, then-wife, etc) and the most galling truth is that people can't keep their mouths shut about

Actually, if you read the article, the issue of revealing more than you meant to is only half of the scope of the problem. There's also the fact that email isn't seen as formal communication, which means that you can typically find email that's anything but "the truth, the whole truth, and nothing but the truth," and yet it's entered into court records as evidence as if it were.I think the real problem that we have is that we view email as if it were written communication after the fact, but when we're writ

Actually, if you read the article, the issue of revealing more than you meant to is only half of the scope of the problem. There's also the fact that email isn't seen as formal communication, which means that you can typically find email that's anything but "the truth, the whole truth, and nothing but the truth," and yet it's entered into court records as evidence as if it were.

I think the real problem that we have is that we view email as if it were written communication after the fact, but when we're writing it, most of us think of it roughly the same way that we view casual conversation.

I agree, a quick google isn't revelaing the source, however there was research a few years back that indicated that someone was less likely to lie on email than in a verbal conversation; this is thought to be related to the fact that an email is seen to be a record even if informal.

I think the real problem that we have is that we view email as if it were written communication after the fact, but when we're writing it, most of us think of it roughly the same way that we view casual conversation.

On the other hand, those that do consider it formal communication can use this to their advantage.

My bosses hate email and when they do write it, they often use it like IM - one line of almost incomprehensible gibberish. They try to give any instructions they need to in person. But that leads

I hear this sort of advice on Slashdot a lot. "If you don't take [insert privacy procedure here], you're ASKING to get caught!" "Don't say anything over email you wouldn't shout in a crowded room!" And so on.

It's kind of dispiriting to me that so many people consider this an acceptable status quo. That you're not allowed to use the Internet, the DOMINANT new form of communication, the one that was supposed to "free" us somehow, without the expectation that everyone from Big Brother to your kid sister is watching over your shoulder.

The "take privacy procedure" and "dont email anything you dont want to get in trouble for" advice in this case is not being applied to the general public - its for emails at WORK.

The internet was not made so you could say things that make you liable at your job and get away with it. Read the article - it effectively equates interoffice emails to official business. You are "allowed" to use the internet, and you can use it to communicate freely and easily; however, you can neither use company email anonymously nor without consequence, because it creates a permanent record.

I think that its reasonable to say "dont write anything in a COMPANY email that could get you fired/ be used in a lawsuit" just like you wouldnt write those kinds of things in an office-wide memo. Your work email is not private, it belongs to the company, which makes you and the company both responsible for it.

Suppose a typical situation comes up at work, you want to fire seven US Attorneys for example. Easy solution - don't discuss it on the work email! That should be obvious. Just use a separate external email address that is on a server where you can easily delete the contents. C'mon. Security 101.

Well, it all boils down to the "don't tell secrets to people who can't keep a secret". And also : "People who are not good at IT don't know how to hide things from a court of law". So don't do unlawful things with them.

Encryption is more about making it impossible (or at least computationally expensive) to scan your email for 'flagged' stuff, and making it hard for people to accidentally forward confidential information. For example, if I forward a 'Company Confidential' encrypted email to someone outside of the company, they cannot get a decryption license because my company's AD doesn't recognize them, so it prevents me from shooting myself in the foot and brining my company down with me.

Now I didn't RTFA, but even the summary seems to say a bit more. For a start, that they can look through deleted drafts on your hard drive and see what the email looked like before you actually edited and sent it. Or even if you don't send it at all.

Plus, screw email, we've already seen this kind of thing happen with edited Word documents, Excel files, or PDFs. Stuff that was never actually sent or published in any way is dug out of the document and used against you.

E.g., I remember a somewhat recent story on The Register where a politician was under fire over a donation she originally said she knew nothing about, but a some looking through the document history later, it looked like she or maybe her husband had a note in the document at some point to check if that's ok.

And now I'm all for accountability in politics, but there's nothing to say that it can't apply to your joke mailing list just the same.

E.g., basically, if your client sues your company about bad support, any emails where you told a coleague that that client is an asshat and shouldn't be taken seriously, can get dug out and used against you. That much was probably clear to you too. But here's the more important part: even if you _didn't_ actually send that email, if at some point you saved a draft, that too can be dug out and used as hint about your thought processes.

So it seems to me like the danger is even more insidious. Even if you think thrice before thinking an email, well, computers got us trained that all sort of transient information can be stored there for later. Even stuff you never intended to send, or notes to self for later, or whatever. Even trivial stuff that people used to just hold in their head, is now somewhere on the computer because it's easy to do so. And stuff that people would first roll around in their head before writing on paper, now gets written anyway and edited later, because it's easy to do so.

And then used as some kind of proof of how your train of thought went. Which was a rather private thing before.

Worse yet, it's now all in one place. So even if previously you'd keep your private thoughts in a diary, chances are it wouldn't get shown in court unless your character makes any difference (e.g., if you pleaded entrapment.) Or they might want to see your letters to your accountant, but not your letters to your mistress. Nowadays that hard drive is one big pot with _everything_. (Again, even transient stuff you deleted long ago and forgot that it was ever on that computer.) Once you got ordered to hand it over, someone _will_ poke his/her nose through everything on it. From business stuff, to your reminders in Outlook to go to Alcoholics Anonymous, to joke lists you're on, to God knows what else.

Sure, most of it probably won't be allowed in court or even presented. But you never know what might anyway. E.g., if you were hit with a sexual harassment or discrimination lawsuit, your porn browsing history or subscription to some dumb blondes jokes list might be interesting after all.

At any rate, _someone_ out there might end up knowing more about you than you thought possible. Even if you think twice before hitting the Send button.

It gets worse than that.The article refers to forensic software that can track deletions and thought processes. That's speaking specifically about Outlook, which uses Word as its mail editor. Think of it; Word keeps track of all changes to a document (that's how "Track Changes" works). Even if you DON'T send it, the forensic software might spot a message you NEVER INTENDED to send.

The reality is that this cannot be avoided. If your company mandates Outlook, then the only way you can escape this "thought

Precisely. Corporations were invented to serve the public, not the other way around.

That said, this does raise important privacy issues for individuals. Nothing that GPG + secure deletion can't solve though, if anyone could make a decent email client that took the donkey work out of using GPG.

My reaction as well, so corpoprations now have a new problem: they can no longer hide their illegal practices from the legal system. Shock! Horror! What injustice!

Am I the stupid one here or is this in fact a good thing for corporations? Maybe now corrupt practices will become so dangerous that the people that remain employed might actually be the honest people (gasp).

You are wrong about one thing though, corporations were never invented to serve the public, they have no other purpose than to make money f

Yeah, makes me wonder how many cases of "oops we broke the law" have been exposed by email trails. If the matter is handled well, and this can be shown to the court, the person suing may well get less money than if there had not been an email trail and the court/jury had to just assume the worst. Of course, in a perfect world, it wouldn't be possible to accidentally break the law.. but we live in a society where most everyone has broken one law or another.

You are wrong about one thing though, corporations were never invented to serve the public, they have no other purpose than to make money for their owners (which in a lot of cases are stock holders). That's it. They can have statutes and whatnot that say that they should give back to the community and serve the countries they work in or whatever but that's just dressing on top of the one basic tenet: make money for your owners.

Not For profit corporations do not mean they don't or can't have profits.Income-Expenses=Surplus.THis surplus is treated as Profit when it is paid out as dividends.It is treated as just excess (not taxable) when it is re-invested.The original purpose of ANY corporation is to act as a front to the actual investors; the fall guy who goes down financially should something bad happen.

However, in past 100 years, since the Rail Robber Barons, and others, the assault on judiciary to treat a corporation as natural

Nothing that GPG + secure deletion can't solve though, if anyone could make a decent email client that took the donkey work out of using GPG.

That would be Mailcrypt plus whatever your favorite emacs lisp mail program is, available for well over a decade now and as transparent as it's going to get. When I was still actively following the cypherpunks mailing list, I participated in a public test of a fully encrypted mailing list managed by a special version of majordomo. Gnus 5 & Mailcrypt handled it like a champ.

This comment was long overdue. The article ostensibly dealt with computer privacy, but the real topic is how to avoid leaving fingerprints when using your work e-mail. In other words, corporate counsel is teaching their bosses how to avoid writing "the smoking gun memo." Remember--it's not destroying evidence if you're just telling them not to create evidence in the first place! I recall being a part of conversations along the lines of, "It's your practice and habit to not save drafts of documents you creat

If it's off the record, don't write it. Pick up the phone or better yet, walk over. Don't hit the send button in the heat of anger.

Or here's an idea.. don't be a backstabbing two faced liar. Office politics is one of the many reasons why I am happy to work from home more often than not. If you're getting angry about someone go have it out with them. If you're getting all steamed up about decisions made by others, remember your place, get over it, or stop being so serious - it's just a job.

My personal favorite is the few times I've had to voice concern over the possible legal implications of a particular action. I've had people IM or call me instead of replying to emails because they don't want to be "on the record". To which I have said in the past: "oh, don't you know the IM is logged?" or "You know, if you don't reply to my email and clear this up than all that will be 'on the record' is my concerns and none of your explanations."

Of course, there are people who think its okay to break the law, just so long as no-one finds out about it. To those people I don't send email - I send it direct to the CEO.

Yep, and they got that way by being the most comfortable with hedging the line, and the most skilled at getting away with stuff. Great sociopaths make great CEOs--it's just that their kink is money, which is a fixation society tends to admire rather than censure. I don't think the public was all that furious at even the Enron guys--the closer the stink got to the Bush administration, the more people dismissed it as "political," like Whitewater.

In a previous job I was a s/w developer, and I had a particularly troublesome boss. The sort who would say "let me know if any problems at all arise" and then at reviews would say "you kept telling me all the problems that came up", or "I want to hear solutions not problems". Anyway, he had a habit of telling people by phone to do things which were against procedures if it would help up meet deadlines, saying that we didn't have to be so rigid; if things went wrong he'd immediately blame the developers.

This is also good practise if, say, you have to ring the bank with some issue of policy or a dispute and they tell you something which you think might be rescinded later - write and say "in according with telephone conversation on Xth of $Month you told me blah blah and this means I shall...." - and ensure you keep signed and dated copies... months later if they change their mind you can point to the letter and say that since they didn't countermand it, the contract as offered in the letter stands.

implied contract? yes you can, your bank and credit card company do it all the time - send you notice of change of t's and c's, you could write and refuse, but then essentially you're giving notice of intent to terminate the contract. In my example, what you are doing is turning the verbal contract into a written one by putting it in writing, your supplier (bank etc) then has to refute your written version of their contract.

yes you can, your bank and credit card company do it all the time - send you notice of change of t's and c's, you could write and refuse, but then essentially you're giving notice of intent to terminate the contract.

You had previously entered into an explicit contract with them (opened an account), and I'm sure somewhere in their terms it says they can change the contract by giving notice. You can make silence the condition of accepting these new changes in your original contract - you c

You are kidding right? Everyone who gets dismissed from a reasonably high paying job in the USA is required, by their insurance company, to file a grievance. That's how the "income protection" scam works. From the customer's point of view you're just paying a premium to ensure you'll be able to meet your mortgage repayments should you lose your job. From the insurers point of view you're paying for your legal fees in advance so they can reclaim your future mortgage repayments from your employer.Each of

Two points...First, there are so many obscure laws, sometimes it all boils down to a simple case of willpower. If some government official has a hard-on against you or your company, they will find SOMETHING they can charge you with. There are various laws per state (especially California), that a company could easily overlook without a massive legal department looking into all possiblities. And frankly that is beyond the scope and financial ability of most companies. At my own company, we spend a substa

The problem with this is that you're saying everyone with access to these records is trustworthy. Which they aren't. The same argument and reply goes to ISPs logging emails and the government wiretapping without a warrant.

Except this isn't always about "committing crimes" but civil issues. He said she said crap that is used in courts to civilly damage a company for some perceived grievance about "fair employment" practices.People can't take responsibility for being the douchebags they are so they want someone to blame when they get fired. Instead of changing their behavior they point the finger and say "he fired me because he thought I was a douchebag. That's not fair" And other idiots eat it up and award ridiculous winn

If a government wanted to stop people sending embarrasing e-mails (Hey, they are using OUR telecoms infrastructure!) then you would call them tyrannical. But hey, if a government ran eveyr aspect of life on its territory through an autocratic, undemocratic heiracrhy you would probably cry foul too. Apparantly theres two sets of rules.

And before you inevitably say that people are free to leave a corporation - the fact is that in a world of massive debt and no safety net, your only other option is jumping t

What about the option of using an (albeit more expensive) (Volatile) DRAM-based SSD for your email servers?
If *someone* subpoenas it, kindly provide it (unplugged) with the any passwords and a full set of encryption keys...
(Assuming there are not already laws prohibiting a corporation from using a faster (700-1400MB/s @ 3s), more reliable (protected with both ECC and
RAID), higher I/O preforming (3 million random IOPS), volatile DRAM SSD array for their email storage?)
"Here is my untouched email server storage device all boxed up and sealed as required per your subpoena order..."

Don't be ridiculous. You subpoena *information*, not hardware. You present them with a hard drive that's been wiped of its data, even if you wiped it merely by unplugging it, and you've erased subpoenaed data, and you are in a WHOLE lot of trouble, including, quite possibly, criminal prosecution and jail time.

Actually, no, you can subpoena the hardware, so that the drives can be ghosted by a 3rd party, gone over by a forensic examiner, etc. Doesn't mean that that the hardware has to leave the facility... If it is a specific hardware device, more or less unique or too expensive to duplicate, then the hardware can be possessed until information has been retrieved from it or it is no longer required to be used to extract the data.

You are not asked for the hardware, you are asked for the information.That means that you are to provide a non-volatile copy. If you try to pull this stunt you're IMHO most likely ending up with a charge for destroying evidence, and you can ask "Oops I shredded Enron docs again" Anderson what happens next..

In the UK you can make their life a bit more difficult by storing part of your recovery (backdoor) crypto key abroad. It's not unreasonable to be slow at that point because you have to recover the key p

That should work fine for your private email server, however, public businesses are subject to a whole host of records retention guidelines, for the specific purpose of feeding discovery if they're ever sued. Just as it is illegal to shred business records, it is also illegal to delete business related emails.

That should work fine for your private email server, however, public businesses are subject to a whole host of records retention guidelines,

Public business are subject to tighter rules on record keeping than private persons, true. But if it's shown you deleted information after the subpoena for it was served, it doesn't matter what you are, your ass is grass.

It's not illegal to destroy documents via shredding, as long as it is done consistently per policy that also conforms to whatever regulatory requirements are in place. Same goes for e-mail retention. Of course, nothing is more terrific for a company involved in a lawsuit in discovery feeling confident that a particular e-mail thread being looked for was erased per said e-mail retention policy, only for it to show up in one of the employee's (maybe the jerk's administrative assistant's) local e-mail archive

The closed and criminal nature of most corporations is the core problem. If they were open about what value they were providing and how then there would be no problem with remarks about corporate processes and performance being written in e-mail or any other medium prone to sharing and archival.

And this is a bad thing.... why? Because it's easier to catch crooked companies (all of them) breaking the law?The article literally consists of corporate lawyers whining about how email makes it harder to conceal criminal actions because they can be found in discovery. Contrary to what the article seems to imply, very few court cases involving email discovery are based on harassment claims. Mostly they're about companies try to screw each other on business deals. For the most part, it's perfectly LEGALLY s

Certainly it can be done in real time.. by your standard everyday keylogger. Of course, installing keyloggers on ALL your employees machines, and having complete access to everything they write does raise some thorny questions.. Not to mention that someone has to actually assess the data.

This really doesn't look like it's going to take corporate email security to a new level.. individual profiling, however, might be a different story.

It's machine time you're devoting and machine time is cheap. It takes the human a few minutes to start it going and the machine does the rest. I fairly recently had my NSLU2 (a tiny Linux box with a 266mHz ARM processor and 32 MiB of RAM) unzip a 57 GiB file. It took it five days. It took me less than 30 seconds.

My company owns my email like they own the oxygen I breath while I am working. In other words- they don't.

You do not become a street whore simply by agreeing to work for someone. Companies don't understand this. If allowed, they would claim every last cell of your body as their property.

While I agree with the second paragraph, I take issue with the first. If you are using company email servers and equipment, they do own the email. You don't get a free ride just because you work for the company. Everything you do on their systems has to follow their acceptable use policy, if they have one.

To be more precise, the problem is that the company you work for wants to read your email. The problem reference in TFA is that somebody else wants to read your email. The usual scenario is that somebody is suing the company you work for and has demanded all the company's email as part of discovery; your employer is going to fight hard to stop your email from being disclosed, but the other side might still get it.So it's not a Big Brother problem in the sense that your own boss is watching you, it's a Big

My company owns my email like they own the oxygen I breath while I am working. In other words- they don't.

If you are using company email servers and equipment, they do own the email. You don't get a free ride just because you work for the company. Everything you do on their systems has to follow their acceptable use policy, if they have one.

Not to mention the fact that the air you breath also comes from their AC units.

>If you are using company email servers and equipment, they do own the email.

This is much dependent on your location and may be quite true in the US. However, there are quite civilized countries in the world where this is not true. For example, in Finland, your e-mail box on the corporate servers is protected by privacy laws to be your personal area.

In practice this means that if anyone else wants to access your e-mail, you must be asked consent. If you get hit by a car and end up comatose and thus incap

Not really -- if you used a typewriter a physical letter on company letterhead and sent it inter-office then it'd be just as discoverable in litigation as an email. The question here isn't who "owns" the document, it's whether a party to litigation can get access to it. Your employer is likely going to try to protect your privacy by preventing the document from being discovered.It's not a question of ownership at all, it's a question of access and the discovery process in litigation. The whole point of di

I think you missed the point here. We're talking about emails etc. that are related to lawsuits. If you are subpoenaed and required to hand over your computer harddrive as part of the discovery process, you are required to hand over your encryption keys too. PGP etc. wouldn't do you any good.

If, as an engineer, you signed off on the final product and it failed it doesn't matter what concerns you expressed to management, you signed off on it, it's your ass facing the negligent homicide trial.